Shortcuts
|
Vulnerable Ports
This list (a very small part of our SG Ports database) includes TCP/UDP ports currently tested by our Security Scanner, and corresponding potential security threats.
We update the list on a regular basis, however if you feel we should add other port(s) to the list or modify their descriptions, please .
Any feedback and suggestions can also be posted to our Security forum.
| Port(s) |
Protocol |
Service |
Scan level |
Description |
| 6526 |
tcp |
trojan |
Premium scan |
Glacier trojan |
| 6540 |
tcp |
applications |
not scanned |
RIFT uses ports 6520-6540 |
| 6541 |
tcp |
applications |
not scanned |
MirrorOp2 (default) |
| 6542 |
tcp |
applications |
not scanned |
The irccd.exe service in EMC Replication Manager Client before 5.3 and NetWorker Module for Microsoft Applications 2.1.x and 2.2.x allows remote attackers to execute arbitrary commands via the RunProgram function to TCP port 6542.
References: [CVE-2011-0647], [BID-46235]
Port is also used by MirrorOp2 (fallback). |
| 6543 |
tcp |
trojans |
Premium scan |
W32.Mytob.FO@mm [Symantec-2005-061910-3159-99] (2005.06.19) - mass-mailing worm that attempts to open an IRC backdoor on ports 2094/tcp or 6543/tcp.
Port 6543 (TCP) is Pylons project#Pyramid Default Pylons Pyramid web service port
IANA registered for: lds_distrib (TCP/UDP) |
| 6543 |
udp |
applications |
not scanned |
Paradigm Research & Development Jetnet default
Vertica (big data analytics platform) uses the following ports:
22 TCP sshd admin tools and management console
4803 TCP/UDP - Spread client connections
4804 UDP - Spread daemon connections
5433 TCP - Vertica client (vsql, ODBC, JDBC, etc) port
5433 UDP - Vertica spread monitoring
5434 TCP - Vertica intra- and inter-cluster communication
5444 TCP - Vertica management console
5450 TCP - Vertica management console
6543 UDP - Spread monitor to daemon connection |
| 6547 |
tcp,udp |
apc-6547 |
not scanned |
APC 6547 [American Power Conversion] (IANA official) |
| 6548 |
tcp,udp |
apc-6548 |
not scanned |
APC 6548 [American Power Conversion] (IANA official) |
| 6549 |
tcp,udp |
apc-6549 |
not scanned |
APC 6549 [American Power Conversion] (IANA official) |
| 6550 |
tcp,udp |
applications |
not scanned |
GeoVision TwinDVR with Webcam |
| 6556 |
tcp |
multiple |
Members scan |
Check MK Agent uses this port.
check_mk could allow a local attacker to obtain sensitive information, caused by the creation of temporary insecure files by the check_mk_agent/job directory. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to the service on port 6556, which could allow the attacker to gain access to files on the system and obtain sensitive information.
References: [XFDB-93520], [CVE-2014-0243], [BID-67674]
W32.Toxbot.C [Symantec-2005-063015-3130-99] (2005.06.30) - worm that opens a backdoor on the compromised computer. Spreads by exploiting common Windows vulnerabilities. Opens and IRC backdoor on port 6556/tcp.
Also: W32.Toxbot.AL [Symantec-2005-100715-4523-99] (2005.10.07).
Malware that uses port 6556/tcp:
AutoSpY trojan
W32.Toxbot |
| 6560 |
tcp |
applications |
not scanned |
Speech-Dispatcher daemon |
| 6564 |
tcp |
trojans |
Members scan |
Trojans that use this port:
Sdbot [Symantec-2004-091515-5411-99] (2004.09.15) - a.k.a IRC-Sdbot, Backdoor.IRC.SdBot
w32/Akbot (2006.05.01) - attempts to join the IRC servers and listens on TCP port 6564 |
| 6565 |
tcp |
trojans |
Members scan |
Nemog backdoor - discovered 2004.08.16. A Backdoor Trojan horse that allows an infected computer to be used as an email relay and HTTP proxy, dropped by W32.Mydoom.Q@mm.
It can use one of the following ports: 3306,4242,4661,6565,8080 |
| 6566 |
tcp,udp |
sane-port |
not scanned |
IANA registered for: SANE Control Port |
| 6568 |
tcp |
canit_store |
not scanned |
AnyDesk remote desktop software uses TCP ports 80, 443, 6568, 7070 (direct line connection)
CanIt Storage Manager |
| 6568 |
udp |
rp-reputation |
not scanned |
Roaring Penguin IP Address Reputation Collection |
| 6571 |
tcp,udp |
applications |
not scanned |
Windows Live FolderShare client |
| 6580 |
tcp,udp |
parsec-master |
not scanned |
Parsec Masterserver |
| 6581 |
tcp,udp |
parsec-peer |
not scanned |
Parsec Peer-to-Peer |
| 6582 |
tcp,udp |
parsec-game |
not scanned |
Parsec Gameserver, The Settlers II 10th Aniversary Edition |
| 6588 |
tcp |
analogx |
Premium scan |
Port used by AnalogX proxy server. Common web proxy server ports: 8080, 80, 3128, 6588
Buffer overflows in AnalogX Proxy before 4.12 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request to TCP port 6588 or a SOCKS 4A request to TCP port 1080 with a long DNS hostname.
References: [CVE-2002-1001] [BID-5139]
Buffer overflow in AnalogX Proxy 4.13 allows remote attackers to execute arbitrary code via a long URL to port 6588.
References: [CVE-2003-0410] [BID-7681] |
| 6595 |
tcp |
applications |
Members scan |
Backdoor.Assasin.C trojan - opens a backdoor on one of the following ports: 5695,6595,6969,27589. Backdoor.Assasin opens port 27589, Backdoor.Assasin.B opens port 6969, Backdoor.Assasin.C opens port 6595, and Backdoor.Assasin.D opens port 5695 to listen for commands from the attacker. |
| 6600 |
tcp |
mshvlm |
not scanned |
IANA registered for: Microsoft Hyper-V Live Migration |
| 6601 |
tcp |
mstmg-sstp |
not scanned |
Microsoft Threat Management Gateway SSTP
Imperial Glory game also uses port 6601 (TCP/UDP) |
| 6602 |
tcp |
wsscomfrmwk |
not scanned |
Windows WSS Communication Framework |
| 6619 |
tcp,udp |
odette-ftps |
not scanned |
ODETTE-FTP over TLS/SSL (IANA official) [RFC 5024] |
| 6620 |
tcp,udp |
kftp-data |
not scanned |
Kerberos V5 FTP Data |
| 6621 |
tcp,udp |
kftp |
not scanned |
Kerberos V5 FTP Control |
| 6623 |
tcp,udp |
ktelnet |
not scanned |
Kerberos V5 Telnet |
| 6624 |
tcp |
datascaler-db |
not scanned |
DataScaler database |
| 6625 |
tcp |
datascaler-ctl |
not scanned |
DataScaler control |
| 6626 |
tcp,udp |
wago-service |
not scanned |
Semaphore Messenger
WAGO Service and Update (IANA official) |
| 6629 |
tcp,udp |
nexgen-aux |
not scanned |
IANA registered for: Secondary, (non ANDI) multi-protocol multi-function interface to the Allied ANDI-based family of forecourt controllers |
| 6631 |
tcp |
worm |
Premium scan |
Backdoor.Sdbot.AG [Symantec-2004-111817-1202-99] (2004.11.18) - network-aware worm with backdoor capabilities that spreads through network shares. Affects all current Windows versions.
It opens a backdoor by connecting to an IRC server (ronz1.afraid.org or ronz2.afraid.org) on port 6631/tcp. |
| 6632 |
tcp |
mxodbc-connect |
not scanned |
eGenix mxODBC Connect |
| 6633 |
udp |
cisco-vpath-tun |
not scanned |
Cisco vPath Services Overlay [Cisco] (IANA official) |
| 6633 |
tcp |
openflow |
not scanned |
OpenFlow/sFlow - open network messaging standard, newer controller software now uses port 6653/tcp instead. Traffic from switches is on port 6343/udp. |
| 6634 |
udp |
mpls-pm |
not scanned |
MPLS Performance Measurement out-of-band response [Cisco_Systems_2] (IANA official) |
| 6635 |
udp |
mpls-udp |
not scanned |
Encapsulate MPLS packets in UDP tunnels (IANA official) [RFC 7510] |
| 6636 |
udp |
mpls-udp-dtls |
not scanned |
Encapsulate MPLS packets in UDP tunnels with DTLS (IANA official) [RFC 7510] |
| 6640 |
tcp |
ovsdb |
not scanned |
Open vSwitch Database protocol (IANA official) [RFC 7047] |
| 6644 |
tcp,udp |
intercloud |
not scanned |
Cisco Intercloud Fabric tunnel uses ports 6644 and 6646 TCP/UDP. Intercloud also uses TCP ports 22(ssh), 443(https) and 3389(RDP). |
| 6646 |
tcp,udp |
intercloud |
not scanned |
Cisco Intercloud Fabric tunnel uses ports 6644 and 6646 TCP/UDP. Intercloud also uses TCP ports 22(ssh), 443(https) and 3389(RDP).
Games that use this port: Scrabble v2
McAfee Network Agent also uses port 6646 (UDP). |
| 6653 |
tcp |
openflow |
not scanned |
OpenFlow/sFlow - open network messaging standard that creates a format for notifications generated by networking equipment (routers, switches) to be picked by monitoring software for analyzis of traffic and congestion. Competing product to NetFlow owned by Cisco. OpenFlow controllers listen for switches on port 6653/tcp (earlier versions used port 6633/tcp). Traffic from switches is on port 6343/udp. |
| 6655 |
tcp |
trojan |
Premium scan |
Aqua trojan
IANA registered for: PC SOFT - Software factory UI/manager. |
| 6656 |
tcp |
emgmsg |
not scanned |
IANA registered for: Emergency Message Control Service. |
| 6657 |
udp |
palcom-disc |
not scanned |
IANA registered for: PalCom Discovery. |
| 6660 |
tcp |
trojans |
Members scan |
W32.Spybot.OBZ [Symantec-2005-042413-0059-99] (2005.04.24) - worm with DDoS and backdoor capabilities. Exploits multiple vulnerabilities, spreads through network shares. Opens a backdoor on port 6660/tcp.
Internet Relay Chat (IRC)
LameSpy trojan also uses this port.
Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET request to TCP port 6660.
References: [CVE-2009-4660], [BID-36407]
|
| 6661 |
tcp |
applications |
Members scan |
Internet Relay Chat
BigAnt IM Sever is vulnerable to a stack-based buffer overflow, caused by improper bounds checking when processing TCP requests by AntServer.exe. By sending a specially-crafted DDNF command containing an overly long string to TCP port 6661, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
References: [XFDB-83351], [EDB-24943]
Trojans using this port: Weia-Meia, TEMan |
| 6662 |
tcp |
applications |
not scanned |
Internet Relay Chat, Radmind protocol |
| 6663 |
tcp |
trojans |
Premium scan |
W32.Mytob.GA@mm [Symantec-2005-062409-5944-99] (2005.06.24) - mass-mailing worm that opens a backdoor and listens for remote commands on port 6663/tcp.
Port also used by the W32.Mytob.HM@mm [Symantec-2005-071400-1143-99] variant of the worm.
Internet Relay Chat also uses this port. |
| 6664 |
tcp |
applications |
Members scan |
Internet Relay Chat
W32.Zotob.K trojan [Symantec-2005-082415-0814-99] exploits Windows vulnerabilities on port 445, opens UDP port 69 for TFTP, listens to TCP ports 6664 and 8172. |
| 6665 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6666 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Some TechniColor routers allow for SSH connections on this port using root/root as login.
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire, TCPshell.c.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp.
Verint 5620PTZ Verint_FW_0_42 and Verint 4320 V4320_FW_0_23, and V4320_FW_0_31 units feature an autodiscovery service implemented in the binary executable '/usr/sbin/DM' that listens on port TCP 6666. The service is vulnerable to a stack buffer overflow. It is worth noting that this service does not require any authentication.
References: [CVE-2020-24055]
Backdoor.Win32.FTP.Lana.01.d / Weak Hardcoded Password - The malware listens on TCP port 6666. The credentials "user" and "pass" are weak and stored in plaintext with the executable.
References: [MVID-2022-0468]
Backdoor.Win32.FTP.Lana.01.d / Port Bounce Scan (MITM) - the malware listens on TCP port 6666. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you.
References: [MVID-2022-0469]
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 6667 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire, Moses, Maniacrootkit, kaitex, EGO.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp.
Backdoor.Win32.Adverbot / Remote Stack Corruption - null instruction pointer read stack corruption when connecting to an IRC server Port 6667. The NetControl.File component allows connecting to server to IRC servers to file share or send messages under Menu/connect.
References: [MVID-2021-0003]
Backdoor.Win32.Whisper.b / Remote Stack Corruption - Whisper.b listens on TCP port 113 and connects to port 6667, deletes itself drops executable named rundll32.exe in Windows\System dir. The malware is prone to stack corruption issues when receiving unexpected characters of random sizes.
References: [MVID-2021-0039] |
| 6668 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp.
Backdoor.Win32.Kraimer.11 / Missing Authentication - Kraimer listens for commands on TCP port 6668, due to a lack of authentication anyone can telnet to the infected host. Seems only one established connection at a time is allowed, so if you telnet in then no other connections are honored. Therefore, if you make TCP connection and theres already an established connection you will get refused.
References: [MVID-2021-0046] |
| 6669 |
tcp,udp |
irc |
Members scan |
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire.
Backdoor.IRC.Flood [Symantec-2001-080313-3306-99]
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99]
W32.Spybot.EAS [Symantec-2004-093016-3632-99] - DDoS and backdoor capabilities, also attempts to steal confidential info. Uses port 6667/tcp.
Backdoor.Sdbot.AC [Symantec-2004-100415-4933-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Sdbot.AF [Symantec-2004-111811-0117-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Alnica [Symantec-2004-110315-5443-99] - backdoor trojan, uses port 6667/tcp to connect to IRC, also sends ICQ messages.
Backdoor.Maxload [Symantec-2004-110420-4659-99] - backdoor trojan, affects Linux and Unix computers ! Attempts to connect to IRC servers on port 6667/tcp.
Backdoor.Hacarmy.E [Symantec-2004-101417-2331-99] - backdoor trojan, uses port 6667/tcp.
Backdoor.Hacarmy.F [Symantec-2004-110511-0258-99] - backdoor trojan, connects to IRC servers on port 6667/tcp.
W32.Bofra.A@mm [Symantec-2004-110916-0038-99] - uses ports 1639 and 6667/tcp.
W32.Bofra.E@mm [Symantec-2004-111213-5143-99] - a mass-mailing worm, runs a HTTP server on port 1639/tcp, attempts to connect to IRC servers on port 6667/tcp.
W32.Cissi.W [Symantec-2005-012811-2022-99] - IRC bot worm with backdoor capabilities. Uses port 6667, propagates through network shares.
Backdoor.Lateda.B [Symantec-2005-011714-4950-99] - backdoor trojan with remote access capabilities. Connects to an IRC server on port 6667, opens a backdoor on port 9999/tcp.
W32.Linkbot.M [Symantec-2005-052109-2651-99] - opens a backdoor on port 6667/tcp. Also listens on port 113/tcp.
W32.Zotob.D [Symantec-2005-081609-4733-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability (MS Security Bulletin [MS05-039]) on port 445/tcp. Conects to IRC servers to listen for remote commands on port 6667/tcp. Also opens an FTP server on port 1117/tcp.
W32.Zotob.H [Symantec-2005-081717-2017-99] - a worm that opens a backdoor and exploits the MS Plug and Play Buffer Overflow vulnerability ([MS05-039]) on port 445/tcp. It runs and spreads using all current Windows versions, but only infects Windows 2000. The worm connects to IRC servers and listens for remote commands on port 6667/tcp. It opens port 69/udp to initiate TFTP transfers. It also opens a backdoor on remote compromised computers on port 8563/tcp. |
| 6670 |
tcp |
vocaltec |
Members scan |
Vocaltec global online directory.
Some trojans also use this port: BackWeb Server, Deep Throat, Foreplay, WinNuke eXtreame. |
| 6671 |
tcp |
trojan |
Premium scan |
Deep Throat trojan |
| 6677 |
tcp |
trojans |
Premium scan |
W32.Mydoom.BT@mm [Symantec-2005-051416-1428-99] (2005.05.14) - mass-mailing worm with backdoor capabilities, that uses its own SMTP engine. It communicates with an IRC server and listens for remote commands on port 6677/tcp.
An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote attacker to list or enumerate sensitive contents of files via a \.. to port 6677. Additionally, this could allow for privilege escalation by dumping the affected machine's SAM and SYSTEM database files, as well as remote code execution.
References: [CVE-2019-8385] |
| 6678 |
udp |
vfbp-disc |
not scanned |
IANA registered for: Viscount Freedom Bridge Discovery |
| 6678 |
tcp |
vfbp |
not scanned |
Viscount Freedom Bridge Protocol |
| 6679 |
tcp,udp |
osaut |
not scanned |
IRC SSL (Secure Internet Relay Chat)
IANA registered for: Osorno Automation |
| 6681 |
tcp,udp |
applications |
not scanned |
UPnP, Bittorent, peer-to-peer |
| 6687 |
tcp |
clever-ctrace |
not scanned |
CleverView for cTrace Message Service |
| 6688 |
tcp |
clever-tcpip |
not scanned |
CleverView for TCP/IP Message Service |
| 6689 |
tcp,udp |
tsa |
not scanned |
Tofino Security Appliance
The web console in CA (formerly Computer Associates) eTrust ITM (Threat Manager) 8.1 allows remote attackers to redirect users to arbitrary web sites via a crafted HTTP URL on port 6689.
References: [CVE-2007-5437], [BID-26013] |
| 6696 |
udp |
babel |
not scanned |
Babel Routing Protocol [RFC6126] (IANA official) |
| 6697 |
tcp |
trojan |
Premium scan |
Backdoor.IRC.Zlulbot [Symantec-2011-062702-2634-99] (2011.06.24) - a trojan that opens a back door on the compromised computer by connecting to the IRC server irc.anonops.li on port 6697.
Force trojan also uses this port
Internet Relay Chat via TLS/SSL (IANA official) [RFC 7194] |
| 6699 |
tcp |
winmx |
Members scan |
Port used by p2p software, such as WinMX, Napster.
Note: WinMX also uses port 6257/udp.
Trojans using this port: Host Control trojan |
| 6699 |
udp |
babel-dtls |
not scanned |
IANA registered for: Babel Routing Protocol over DTLS |
| 6700 |
tcp,udp |
applications |
not scanned |
GameSpy Tunnel, developer: GameSpy Industries (IGN) |
| 6702 |
tcp |
applications |
not scanned |
IANA registered for: Tidal Enterprise Scheduler client-Socket. It is used for communication between Client-to-Master, though can be changed. |
| 6702 |
udp |
applications |
not scanned |
Carracho (client) |
| 6704 |
sctp |
frc-hp |
not scanned |
ForCES HP (High Priority) channel [RFC 5811] (IANA official) |
| 6705 |
sctp |
frc-mp |
not scanned |
ForCES MP (Medium Priority) channel [RFC 5811] (IANA official) |
| 6706 |
sctp |
frc-lp |
not scanned |
ForCES LP (Low priority) channel [RFC 5811] (IANA official) |
| 6711 |
tcp |
trojans |
Premium scan |
SubSeven/BackDoor-G trojan
VP Killer trojan
Backdoor.KiLo [Symantec-2003-021319-1815-99] - Windows remote access trojan, listens on ports 6711, 6718. May be related to KiLo trojan (ports 50829,61746,61747,61748).
Backdoor.Win32.MiniBlackLash / Remote DoS - MiniBlackLash listens on both TCP port 6711 and UDP port 60000. Sending a large HTTP request string of junk chars to UDP port 60000 will crash this backdoor.
References: [MVID-2021-0060] |
| 6712 |
tcp |
trojan |
Members scan |
BackDoor-G [Symantec-2000-121907-4858-99] trojan, SubSeven (Sub7) trojan, KiLo trojan, Funny trojan
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 6713 |
tcp |
trojan |
Members scan |
BackDoor-G [Symantec-2000-121907-4858-99] trojan, SubSeven (Sub7) trojan, KiLo trojan
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 6714 |
tcp |
trojan |
Premium scan |
Backdoor.Kilo [Symantec-2003-021319-1815-99]
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 6715 |
tcp |
trojan |
Premium scan |
Backdoor.Kilo [Symantec-2003-021319-1815-99]
Port 6715 (TCP) is AberMUD and derivatives default port
Backdoor.Win32.Kilo.016 / Denial of Service (UDP Datagram) - the malware listens on TCP ports 6712, 6713, 6714, 6715, 7722, 15206, 15207, 16712 and UDP 6666. Attackers who can reach an infected host can send a large payload to UDP port 6666 causing a disruption in service.
References: [MVID-2022-0546] |
| 6716 |
tcp |
princity-agent |
not scanned |
Princity Agent (IANA official) |
| 6718 |
tcp |
trojans |
Premium scan |
Backdoor.KiLo [Symantec-2003-021319-1815-99] - Windows remote access trojan, listens on ports 6711, 6718. May be related to KiLo trojan (ports 50829,61746,61747,61748). |
| 6723 |
tcp |
trojan |
Premium scan |
Mstream trojan |
| 6751 |
tcp |
malware |
Premium scan |
Backdoor.Win32.Mazben.es / Unauthenticated Open Proxy - the malware listens on random TCP ports, known 2608, 6751, 3087, 5947. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host.
References: [MVID-2021-0377] |
| 6754 |
tcp,udp |
trojans |
Premium scan |
Backdoor.Mapsy [Symantec-2002-120615-0547-99] (a.k.a. BackDoor-AMI, 2002.12.06) - a backdoor trojan that gives an attacker unauthorized access to an infected computer |
| 6766 |
tcp,udp |
trojan |
not scanned |
KiLo [Symantec-2003-021319-1815-99] trojan |
| 6767 |
tcp |
trojans |
Premium scan |
KiLo [Symantec-2003-021319-1815-99], Pasana, UandMe, NT Remote Control trojans
Backdoor.Win32.NTRC / Weak Hardcoded Credentials - the malware listens on TCP port 6767. Authentication is required, however the password "Please change me" is weak and hardcoded in cleartext at offset 0045E520. Commands get executed by sending the password delimited by a semicolon ";" E.g. Please change me;SystemInfo;. The command SendScreen dumps screenshot as .BMF file, to get the next part of the file issue SendScreenNextPart.
References: [MVID-2022-0646] |
| 6768 |
tcp |
applications |
not scanned |
BMC PATROL Agent Service Daemon 'BGS_MULTIPLE_READS' Command Remote Code Execution Vulnerability
References: [CVE-2011-0975], [BID-46151] |
| 6771 |
tcp |
trojans |
Premium scan |
DeepThroat, Foreplay, Reduced Foreplay |
| 6771 |
udp |
applications |
not scanned |
BitTorrent Local Peer Discovery, Polycom server broadcast |
| 6776 |
tcp |
trojans |
Members scan |
RAT (remote administration tool)
Trojans that use this port: 2000 Cracks, SubSeven/BackDoor-G, VP Killer |
| 6777 |
tcp,udp |
applications |
Premium scan |
BlackSite - Area 51
Trojans using this port: W32.Gaobot, W32/Bagle@MM [Symantec-2004-011815-3332-99]
Backdoor.Win32.IRCBot.gen / Unauthenticated Remote Command Execution - the malware listens on TCP port 6777. Third-party attackers who can reach infected systems can execute commands. Commands must be wrapped in quotes or it will fail.
References: [MVID-2021-0300]
IANA registered for: netTsunami Tracker (TCP) |
| 6778 |
tcp |
applications |
not scanned |
The OmniSwitch 7700/7800 running Alcatel Operating System (AOS) version 5.1.1 has TCP port 6778 listening as a telnet server. This gives anyone access to the OmniSwitch's Vx-Works operating system without requiring a password. This backdoor compromises the entire system.
References: [CVE-2002-1272], [BID-6220]
IANA registered for: netTsunami p2p storage system (TCP) |
| 6783 |
tcp |
applications |
not scanned |
Splashtop Remote |
| 6784 |
tcp |
applications |
not scanned |
Splashtop Remote |
| 6784 |
udp |
bfd-lag |
not scanned |
Bidirectional Forwarding Detection (BFD) on Link Aggregation Group (LAG) Interfaces [IESG] (IANA official) [RFC 7130] |
| 6785 |
tcp |
applications |
not scanned |
Splashtop Remote |
Vulnerabilities listed: 100 (some use multiple ports)
|
